Stolen Laptops and Knox

oschultz

Perhaps I am missing something here, but based on your endorsement of the product, I felt like it would be a great solution for securing most of my folders on my laptop in case it were stolen. Now that I am trying it out, I see that there is no option for the vault to auto eject/close for the logical reason listed below from the FAQ:



[I][COLOR="Blue"]Every once in a while, we receive requests to make Knox automatically close vaults after a customisable length of time. Instead, we recommend using a password-protected screensaver.



The reason for this is that if Knox were to automatically unmount a vault, we’d either have to err on the side of safety (do not unmount if there are open files) or of security (force the vault to be closed even if there are open files). We really don’t think that either one is a very good option all of the time: there will be times when you will want to close your vault on demand, no matter what, and there will be times when you want to ensure your data’s integrity, no matter what.[/COLOR][/I]



So essentially, if my laptop is stolen, and the vaults are open the protection is only as strong as my screen saver password provides. I know there are work arounds for cracking that easily. This doesn't seem like such great protection after all unless one manages to close their vaults prior to theft!



Thoughts? Thanks!

RobYoder

Hmm… I think you bring up a good point. If we allowed for automatic locking, which would you prefer - file safety or data security?



I suppose we could go with file safety. In that case, the vault would lock on sleep or whenever you set, and if there were files open, it just wouldn't lock. Then the user would be responsible for it not locking. Users who want their vaults locked every time the computer sleeps would just need to make sure that all documents are saved and closed. I suppose anyone who wants their data secure will not leave those documents open while their computer is asleep anyway, so that might work.



Summary: Sleep locks Knox vaults. If files are open, the Knox vault is not locked. Anyone who wants their data secure will not leave those files open anyway.



What do you think? Good logic or not?

jxpx777

I'd be interested in hearing more about cracking screensaver passwords. I know that some would just restart the Mac, but unless you have your user account automatically logging in, Knox automatically restoring open vaults, and the vaults' passwords stored in the keychain, the bad guy's going to have to enter a password somewhere. I think the current approach is still the best.

RobYoder

[quote name='Jamie']I'd be interested in hearing more about cracking screensaver passwords. I know that some would just restart the Mac, but unless you have your user account automatically logging in, Knox automatically restoring open vaults, and the vaults' passwords stored in the keychain, the bad guy's going to have to enter a password somewhere. I think the current approach is still the best.[/QUOTE]



Is it not possible to scan the files on a hard drive outside of the Mac without the user password? If so, then said "bad guy" would only need to remove the hard drive and copy the files, right? If not, then what is the purpose of encrypting those files in the first place?

MikeT

[quote name='<Rob />']Is it not possible to scan the files on a hard drive outside of the Mac without the user password? If so, then said "bad guy" would only need to remove the hard drive and copy the files, right? If not, then what is the purpose of encrypting those files in the first place?[/QUOTE]



The data is inside one data file. You can't open it without a password, period. It's completely encrypted inside, it look scrambled and you can't pull out any data off it, the only way the data can safely be decrypted is with a password (the encryption seed is based on the hash of your password) which means the outsider can perform million of billions of password checks for years before he'll be able to find one. The key is a very strong password in the first place, if it is just 11111, then somebody'll break it within a sec. Luckily we have 1Password for that.



The problem with setting a screensaver password ALONG with the vault passwords STORED in Keychain (which is never a good idea) is that it's fairly easy to change the root password with a system disc or single user mode boot. By changing the password, I do believe the keychain will be unlocked as well when the user logged in with the new password. I could be wrong and I could run the test to confirm.

RobYoder

[quote name='MikhailT']The data is inside one data file. You can't open it without a password, period. It's completely encrypted inside, it look scrambled and you can't pull out any data off it, the only way the data can safely be decrypted is with a password (the encryption seed is based on the hash of your password) which means the outsider can perform million of billions of password checks for years before he'll be able to find one. The key is a very strong password in the first place, if it is just 11111, then somebody'll break it within a sec. Luckily we have 1Password for that.[/QUOTE]



I meant if the Knox vault is not closed/locked. If it isn't closed, can't you read the data without a password?

oschultz

@Jamie - I had some Macs at work that had been used at a field office that was closed down. The employees that previously owned those macs were not available to provide passwords, and we wanted to keep all of the data so I looked around online and found this tip:



[URL="http://en.kioskea.net/faq/4397-change-mac-admin-password-without-the-disk"]http://en.kioskea.net/faq/4397-change-mac-admin-password-without-the-disk[/URL]



This wasn't actually a screen saver password issue, it was a login password issue. If my memory serves me correctly, by simply restarting the iMac or laptop (We had both) and following the directions, I was able to initiate a new admin account and get into both computers (Gasp!).:-o

MikeT

[quote name='<Rob />']I meant if the Knox vault is not closed/locked. If it isn't closed, can't you read the data without a password?[/QUOTE]



It's automatically closed every time you restart or shut down. You can't open those files without an OS and password.



I think what you're asking is if the file is stored on the external drives and if people took those external drives without closing the OS down. It doesn't matter, the data isn't decrypted on the drive itself. When you open, you're opening a path into the file, not opening the file itself.



The weakest link is the memory chips, it can still store the encrypted data after cutting the power to it. So attackers can put the memory chips into something else and read data off it. Which means they can get the keys and data in it, and if they can get the keys, they'll be able to decrypt the data with the key.



[quote name='oschultz']@Jamie - I had some Macs at work that had been used at a field office that was closed down. The employees that previously owned those macs were not available to provide passwords, and we wanted to keep all of the data so I looked around online and found this tip:



[URL="http://en.kioskea.net/faq/4397-change-mac-admin-password-without-the-disk"]http://en.kioskea.net/faq/4397-change-mac-admin-password-without-the-disk[/URL]



This wasn't actually a screen saver password issue, it was a login password issue. If my memory serves me correctly, by simply restarting the iMac or laptop (We had both) and following the directions, I was able to initiate a new admin account and get into both computers (Gasp!).:-o[/QUOTE]



You aren't changing the password, you're creating a new admin account, and good luck trying to gain access to the keychain. You won't get it unlocked. Not to mention it won't work for encrypted filevault either since its based on the former admin password.



Also it's not limited to Macs, linux have the same security hole.

oschultz

Thanks for the info MikhailT. That all makes sense.



So really, with a short screensaver time set up with a password, the chances of someone swiping your laptop and accessing you open vaults is very slim. Yes, they could set up a new admin account, but in doing so, it would require a restart which would lock all the vaults in the process correct? So I guess in my case, I was able to access all of the previous users files on the computers because they had not been protected at all, and setting up an admin account gave me access to their home and document folders without requiring their account password or access to their keychain?



Had the files been in a vault, the new admin account wouldn't have helped. That makes me feel better about my purchase!

DavidB

[quote name='MikhailT']The problem with setting a screensaver password ALONG with the vault passwords STORED in Keychain (which is never a good idea) is that it's fairly easy to change the root password with a system disc or single user mode boot. By changing the password, I do believe the keychain will be unlocked as well when the user logged in with the new password. I could be wrong and I could run the test to confirm.[/QUOTE]



Is this true even if the account login and login Keychain password are different (not the default setting)?



David

MikeT

[quote name='oschultz']Thanks for the info MikhailT. That all makes sense.



So really, with a short screensaver time set up with a password, the chances of someone swiping your laptop and accessing you open vaults is very slim. Yes, they could set up a new admin account, but in doing so, it would require a restart which would lock all the vaults in the process correct? So I guess in my case, I was able to access all of the previous users files on the computers because they had not been protected at all, and setting up an admin account gave me access to their home and document folders without requiring their account password or access to their keychain?



Had the files been in a vault, the new admin account wouldn't have helped. That makes me feel better about my purchase![/QUOTE]



Correct. If the user did not have filevault enabled and s[B]et keychain access to auto-unlock on login[/B], you still can get into their files even after changing their password.



[quote name='DavidB']Is this true even if the account login and login Keychain password are different (not the default setting)?



David[/QUOTE]



If you changed the keychain password, then it's bound to that password only. [B]Changing the admin password does not change the keychain password[/B], the keychain is bound to the old admin's password. You can't currently change keychain password nowadays except for cracking it with a tool that can take forever.

Guido

Logic but lazy solution!

How about this.



We can choose both options in the future.



If you choose to close the vault on a set time or automatically , KNOX reminds you like apple with a 60 sec. alert before.

If not choosed NO, it will save all Knox vault used documents (Apple Key + S) and closes the vault with leaving a note that Knox vault was closed after 60 sec. of no reaction.

So if this happens and you want to save the document again, it will automatically tell you that this vault or volume is not available, so you can mount it again.



Another question: Is KNOX like 1Password key-logger safe ???

I don't think so. Couldn't find anything in the thin description !!!

MartyS

Thank you, Guido for your suggestions. We'll be looking to extend the Knox capabilities in the future and perhaps something can be done to provide some of this option.